YubiKey 5 Series multi-protocol hardware authentication device.
YubiKey 5 Series multi-protocol hardware authentication device. (Image: Yubico)

Derek Hanson, an expert on hardware-bound and syncable passkeys, works very closely with the FIDO Alliance and recently spoke on the topic of passkeys at the 2023 RSA Conference.

Hanson spoke with TechRepublic’s Karl Greenberg about the range of passkey implementations, from a hardware-bound passkey, such as those stored on a YubiKey, where the passkey is tied to a device and doesn’t lock a user, to shareable keys managed by a vendor (Figure A).

Figure A

Derek Hanson, VP of Standards and Alliances, Yubico.
Derek Hanson, VP of Standards and Alliances, Yubico. Image: Yubico

Karl Greenberg: With shareable passkeys that are software, not hardware-bound, what are the use cases for a physical system like YubiKey, where the passkey cannot leave the device?

Derek Hanson: While this isn’t something that every person will find necessary, it’s a critical differentiation for more vulnerable populations and companies — especially those in government, financial services and healthcare, and high-profile consumers such as celebrities and influencers.

Karl Greenberg: What has Yubico’s role been in the development of passkeys?

Derek Hanson: From our lens, and really from even the FIDO point of view, passkeys are a discoverable FIDO2 credential. When you look at it from that definition, we’ve been doing passkeys for about five years now, and it started with the launch of our YubiKey 5 series. And what we’re talking about with passkeys — and what is being really promoted right now around this passwordless authentication solution — is innovating how passkeys work so that the key material that was living on a YubiKey can now be synchronized and managed by software. And so that’s really the fundamental change: it’s about where those passkeys live.

Karl Greenberg: Where does YubiKey live in this evolving space, where passkeys are software-based instead of hardware-based?

Derek Hanson: From our perspective, there is a very good, healthy balance here, constituting a spectrum of solutions that range from higher to lower security requirements. If people are using the same way to sign into applications, the whole ecosystem benefits and everyone’s going to have a better user experience, one that’s more consistent.

Karl Greenberg: I think of YubiKey as a high-security solution for enterprises. What is the consumer use case?

Derek Hanson: A lot of users use the YubiKey for accessing their sites or their personal websites, actually, and a lot of them come into social media and email sites that they’re protecting access to if they’re an influencer or an individual in a higher-risk situation. We’re not advocating that every consumer is going to opt into YubiKey, but people who are security-aware, people with elevated personal risk levels. We want to make sure that those users are able to opt into something that they control and that offers a higher level of assurance.

SEE: How 1Password enables passkeys (TechRepublic)

Karl Greenberg: And that would always involve a system involving non-sharable passkeys stored on a physical device?

SEE: In 1Password’s crystal ball: No passwords! (TechRepublic)

Derek Hanson: Yes, but also the pairing of the physical key with their services. So, for example, making sure that I have a physical key that is used to protect my iCloud account, so if somebody steals my phone, I still have a way to sign back into my account. If your passkeys are not stored on a physical key, then they’re stored within cloud accounts. So, the risks are: How do I protect my cloud account correctly? Otherwise, it’s just kind of a nested set of shells all the way down, and you’ve got a password at the bottom no matter what you do.

Karl Greenberg: What are the vulnerabilities, from your point of view, with passkeys, that make YubiKeys still in high demand?

Derek Hanson: With a physical key, it’s not different from a key to a car. Unless I give my kid the keys to my car, he can’t take it and drive somewhere. With passkeys that are shareable, Apple’s copying the key and putting it on every Apple device in the family, which means I don’t necessarily have the control I might desire.

Karl Greenberg: Right, a conflict between security and ease of use.

Derek Hanson: I think what you’re going to see out of this is the rise of passkey management as a replacement for password managers. You’re even seeing the FIDO Alliance start talking about it and companies like 1Password moving in this direction. It’s going to come down to: How do I manage all my keys? Who has access to them? I don’t care if my family has access to my Spotify passkey, but the passkey to my 401(k)? Maybe not.

SEE: RIP World Password Day! (TechRepublic)

Karl Greenberg: What are the potential problems with the proliferation of passkeys?

Derek Hanson: A fragmented ecosystem where some websites only allow one type of passkey and another website allows a different type. We want to make sure it works like your credit card: Everywhere you go, it works the same way.

Karl Greenberg: How many passkeys can live on one YubiKey?

Derek Hanson: This current version of the YubiKey stores 25 passkeys. It protects access to my email account, my 1Password account, my Apple, Google and Microsoft accounts. It protects my email, and it has multiple identities on it.

Karl Greenberg: Is the prevalence of phishing attacks, the advent of passkeys and the growing awareness of the need for something beyond passwords raising all boats?

Derek Hanson: We are seeing a lot of awareness about passkeys. More and more services are passkey-enabled, and I am truly hopeful that within the next five years, we will see a radical reduction in phishable authentication on the market. And that will be because of passkeys. And so we will have users that use it synced across their platform devices. We’ll have users on YubiKeys; we’ll have users where it’s managed in apps.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday